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1. (Currently Amended.} A system, comprising: 

>H i ( iecto itn s thai disposed > a om m in nuion t< 
jut »i ! * host connection pairs from packets that are sent between nodes on a network; and 

l < 1 i . ts liu O 1 ; i { i t 

collector devices, ant! which produces a connection table that maps each node on the network to 
a record that slos ex infos malum ah >i t pat kc t u ai 1 ic to or from file node. 

2. (Currently Amended.) The system of claim I wherein the aggregator determines at. least 
in part from connection patterns derived from the connection tabic occurrences of network 
events MtlM?Sat&.i>otentiai network i ntrusion s. 

> {( »!i> » <> ' 1 1 I > I c 1 ! 1 ^ ! _ ' 1 f { 

a process that collects statistical information on packets that are sens between nodes on a 
k*w td v. send he s s ca information to the aggregator. 

d .'Pi^ u • Pu--ci tero K< s\ ,iem Jam ! - <^o x L >c j^ /iuntt" 
comprises: 

a process to detect anomalies . connect k>:i rauems; and 

a nnxxs> to aggregate detected anomalies into the net w oik c\cniv 

5. {Oris nut i 1 he s>stu» ot a i f wberem i < d o \ , i a vsoi link to devices 
in the network. 
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I sly Presented Fhe system oi iaim 4 wherein the anomalies ncludc tenia! ol 
set i. ice ,u J ji id , 

x^se o snfc f s stenoH in 1 a re e an o v JaJ 

' a * 1 t > id Trn propagatio 

8. (Original) The system of claim 1 wherein the connection table includes a plurality of 
records that are indexed by scarce address. 

9, (Original) The system of claim i wherein the connection table inefuc es . pit aliis ol 
records that ue indexed destination address. 

JO (Oi su i l iic si teno elan 1 uo> aKc sn t 

records that are indexed by hme. 

11. (Original) The system of claim I wherein the connection table includes a plurality of 
records that arc indexed by source address,, destination address and time. 

12. (Original) The system of claim 1 wherein tie connection table includes . plurality of 
i uueun i at ^ < < caw ed e-nt time scales 

13. {Currently Amended) The system of claim 4- 12 wherein the connection sub-tables 
include a time-slice connection tabic that operates on a small unit of time and at least one other 
sub -table that operates on a larger unit of time than the time slice sab-table with each sub-table 
) g the s ecords eceived oraa Electors during re c u ts o ti ie 

14. (Currently Amended) A method, comprises: 

sending connection information to identify host connection pairs kom collected from a 
ecu devices oat iggregatOiiand 
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producing in the aggregates- a connection table thai maps each node on die network to a 
record that stores information about traffic to or from the node. 

UVs vUo\ £ b -,ei tuO in Kit, ot uan S - „, , ,s .01 
eotie,s j. s\. - x A losm-Oam .<> Jv .oU . n t c\ c o send in the eepuyean >r u< - e- 

l" (CiMTcmh \rnended} The method of chum 15 tuttUn comprises 
den 3 me ccurreucex of network anomalies: and 

*c 1 os iito\ino cuts da a i_ y_> y - < iJ 

coram* loath >v in es of net work events to an operator. 

17 .'Original* The method of chin ' the connection table im 

of entries that are indexed by source address. 

18. (Original) The method of chum 14 wherein the connection table includes a plurality 
of entnes that are indexed by destination, address. 

1 ) t'i 1 i\ n ht < ibis i U ut ' v 1 m C m id a p a d 
of records that are indexed by time. 

2-0. (Original.' Use method of claim 14 wherein me connection fable includes a plurality 
of records that are indexed by source address, destination address and time. 

2 b (Original > ihc method of claim 14 therein the com-cetion tabic includes a plurality 
of connection sub-tables to track data at different time scales. 

22. (Currenih \mended > 11. muhod o| eKmu 2j_ 44 vhemm , e eonnecbui sub tables 
include a time-slice connection table that operates on a small unit of time and at least one other 
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* ! s on £ u > i than the nc slice sub-tab w so \ 
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23. (Original } A method of detecting a new host connecting to a network comprises: 
receiving statistics collected from a host in the network; and 

indicating to a console that the host is a new host if. during a period of time 12 the host 
ransmils a east N pack i <. ceives at least N packets m< t t ^ <,s \ evci insmioed 
and received more than N packets in any previous period of time with a duration of T. 

24. (Previously Presented) A method executed in a computing device tor detecting a 
nit u hos n i letv rk eon pi scs 

determining In the computing device, if both a mean historical rate of server response 
, ^ i. Mi a a, -si is i ^ as than M and a ratio of a standard do\ boon of i m . „ rate of 
-.one response rscke 5 - h mi die host to a mean pioiiled one of sen ci k ^ \ v rv.-cko- < i it 
host is less than R over a period of time; and 

e j rese t 



